CVE-2026-10540 PUBLISHED

Weak password hash protection in Control-M/Entreprise Manager

Assigner: airbus
Reserved: 01.06.2026 Published: 01.07.2026 Updated: 01.07.2026

The Control-M/Enterprise Manager uses weak protections for stored hashes of account passwords, potentially allowing offline password recovery attacks if credential data is obtained by an attacker. This vulnerability affects Control-M/Enterprise Manager unsupported versions 9.0.20.x and potentially earlier unsupported versions

Metrics

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 5.6

Product Status

Vendor BMC
Product Control-M/Enterprise Manager
Versions Default: affected
  • Version 9.0.21 is unaffected
  • affected from 9.0.20 to 9.0.21 (excl.)

Credits

  • Jean-Romain Garnier from [Airbus Security Lab](https://airbus-seclab.github.io) - <vuln@airbus.com> finder
  • Quentin Liddell from [Airbus Security Lab](https://airbus-seclab.github.io) - <vuln@airbus.com> finder

References

Problem Types

  • CWE-328 Use of weak hash CWE